AV-Test Certifies Security Products on Windows 7

The test and consulting firm ranked the 19 antimalware products based on three categories: protection, repair and usability. Three products failed to get certified, including BullGuard Internet Security 9.0, McAfee Internet Security 2010 and Trend Micro Internet Security Pro 2010.

The top performers (top scores in two of the three categories) were Kaspersky Internet Security 2010, Panda Internet Security 2010 and Symantec Norton Internet Security 2010. All passed with AV-Test certification, along with 10 other security products. The complete AV-Test list can be found here.

Microsoft Security Essentials 1.0, the free consumer antimalware solution, passed certification. According to AV-Test's MSE stat sheet, MSE had a top-ranking score on its usability tests. It also performed well in detecting widespread malware, but scored lower when protecting against zero-day malware attacks. It had respectable results cleaning malware off an infected computer. MSE also "achieved VB100 certification last week," according to a Microsoft spokesperson via e-mail. A Microsoft blog points to both achievements.

A Microsoft spokesperson attributed the positive usability results to MSE's lightweight design for consumers. It's designed to run on older PCs and only alerts users if an action needs to be performed. MSE is based on the Microsoft Forefront Client Security "engine technology, signatures and research teams," according to the spokesperson.

AV-Test conducted its tests during the second quarter of this year. For its protection tests, the firm examined the product's ability to deliver "static and dynamic malware protection" as well as protection against zero-day attacks, which leverage undisclosed vulnerabilities in software. Testing the repair capabilities involved checking product's "system disinfection and rootkit removal." In testing usability, AV-Test measured any system slow-down caused by the product, as well as any false-positive results.

Of six points total, products scoring lowest on the protection side included Norman Security Suite 8.0 (score 2) and Trend Micro Internet Security Pro 2010 (score 2.5). The sole low performer on the repair side was McAfee Internet Security 2010 (score 2). Results were a little more level on the usability side, with BullGuard Internet Security (score 3) achieving the lowest score.

Usability might seem to be the death knell for all antimalware products. According to a video by Kaspersky Lab, the amount of files requiring blacklisting by software security products has grown from 3 million files in 2007, to 17 million in 2008 and 34 million in 2009. The amount of malicious files has roughly tripled each year.

Kaspersky's software performed well on the usability side because of technology that handles old virus signatures, according to Roel Schouwenberg, senior anti-virus researcher at Kaspersky Lab Americas.

"If we were to uniquely identify each specific malware sample in our product, then, in a number of years, the size of the malware detection database would outgrow the average amount of RAM on the system," Schouwenberg said via e-mail. "However, new technologies allow us to create different kinds of signatures which can replace up to 100,000 old signatures."

Microsoft also uses technology to keep down the bloat of loading antivirus signatures.

"We're cognizant of file size and we try to streamline downloads and use generic signatures to target entire families of malware rather than release a signature for each variant," a Microsoft spokesperson said via e-mail. "We also revisit older signatures and tune them to catch current variants rather than create brand new signatures reducing the amount of accumulation of virus definitions and impact on system performance."

The option to use whitelisting isn't a solution to the potential bloat of antimalware solutions. A pure whitelist approach (using a slate of "good" executable files) would amount to more than 100 million files, according to the Kaspersky Lab video. Moreover, whitelists can get fooled. Schouwenberg pointed to cases where legitimate software gets loaded with malicious code, such as via the Induc virus.

"There are tons and tons of (digitally signed) files out there which have this [Induc] virus," he said. "Whitelisting can't be applied in a generic way and there are too many ways to basically fool whitelisting. For those reasons I'm convinced that we need to look at whitelisting mostly so that we can treat the non-whitelisted files with more suspicion."

The Kaspersky Lab video also suggested that cloud computing could be enlisted to better enable such a whitelist strategy.